ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] list vs contributor signatures, was Wrong Discussion

2010-04-30 09:43:28
from [McDowell, Brett] [Permanent Link] 
On Apr 30, 2010, at 10:23 AM, Michael Thomas wrote:


On 04/30/2010 07:05 AM, McDowell, Brett wrote:


In that scenario, if the MLM re-signing solution has been deployed by Y, and 
DKIM+ADSP has been deployed by X&  Z, and Z has chosen to take action on X's 
ADSP policies... the only thing Z is trusting Y to do is validate incoming 
DKIM signatures, re-sign the messages with its own DKIM signature, and pass 
it along with the A-R results that convey what was done.  Z is not trusting 
everything and anything that might ever come through Y.

I think that's a reasonable level of trust to expect mailbox providers to 
have in mail lists who assert that they do this.  Rogue mail lists will stop 
being trusted but only after they have "lost" the trust that was granted to 
them via their standards-based assertion (we would probably need to spec out 
how a MLM advertises that they indeed conduct flows in this manner) that 
they perform these functions on incoming mail.

Again, I'm not saying this is the best or most elegant way of handling the 
problem of properly authenticated mail not being able to traverse mail 
lists, but it seems worthy of further discussion as an option.


Yeahbut... there are zillions of mailing lists out there. How do you know the 
good ones
from the bad ones? Keep in mind, of course, that bad guys can resign too, and 
they can
easily make themselves look like a mailing list if that's something that 
gives them
advantage.


Indeed.  But mailbox providers all have their own secret sauce for figuring out 
reputation of senders that I believe they could apply to this new flavor of 
sender -- meaning MLM's who adopt the MLM-DKIM spec we seem to be debating the 
virtues of developing -- without too much overhead.



If the solution is some sort of (third party) reputation/whitelist, then 
there's really
not much for us to do, right?


I think we still need this spec I'm starting to refer to as MLM-DKIM to specify 
both the proper way of conducting this re-signing & reporting practice and how 
the MLM advertises that they follow it.


Even with your discardable adsp setting, it becomes a
matter of the order of checks at the receiver's gate (eg, whitelist first, 
then adsp...)



But since mailbox providers already manage reputation at scale, how much of a 
burden is adding this bit to the mix?  Remember this only affects mailbox 
providers who have decided to do DKIM blocking based on ADSP discardable 
policies (for some, if not all senders).
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] Wrong Discussion - was Why mailing lists should strip DKIM signatures, Ian Eiloart
Next by Date:  Re: [ietf-dkim] list vs contributor signatures, was Wrong Discussion, Ian Eiloart
Previous by Thread:  Re: [ietf-dkim] list vs contributor signatures, was Wrong Discussion, Michael Thomas
Next by Thread:  Re: [ietf-dkim] list vs contributor signatures, was Wrong Discussion, Michael Thomas
Indexes:  [Date] [Thread] [Top] [All Lists]